Asking for general conceptual how-tos is one thing (and even then, horribly fuzzes the white-hat/black-hat line around here), but postings that explicitly include exploit code are another.

Further, the wording of the question itself in this example still sets off the "black hat" alarms in my head. Perhaps a more acceptable phrasing would be "What is the maximum damage that could be caused by exploitation of this vulnerability?". Again, this brings the question to more of a theoretical abstraction instead of seeking a technically detailed attack implementation.

Maybe a more neutral way of phrasing it is, "how could a hacker exploit this vulnerability..." That way, it's neither "white hat" nor "black hat," but the "good guys" at least (hopefully) get the first crack at it. From the look of it, the asker appears to be OK, just a bit untactful.
– Tom AuJan 30 '15 at 0:53

4 Answers
4

I've been torn on this issue, but I'm starting to wonder why even risk losing legitimate users and content? Are we really that worried about exploit code?

Almost all exploits can be legitimately used for pentesting and at the very least illustrating to the CTO/CEO why issue X needs to be handled immediately. Sometimes it is nearly impossible to make the business case until you show an executive how quickly the exploit can cause damage.

I agree there should be a line drawn somewhere, but I'm beginning to think it should err on the side of exploits and not censoring knowledge. Most likely people on here aren't inventing these exploits so the information is out there anyway for people to find. At least if it is here we can put it into context. Under the assumption that most people on here are professionals, full disclosure benefits us a lot more than the blackhats.

Here are some thoughts:

Asking for exploits against a specific person (company) are banned unless client-side information snooping. ie: attacks against their machines are banned, but tools illustrating auth attacks and weakness like firesheep should be discussed.

Malware construction questions are out of scope.

Even 0-day exploits are useful for testing. How else can one check if workarounds work?

Personal discretion. Most of us are professionals. People should feel free to hold back information if they think it necessary.

Intent. This is such a weak defense, because it just raises the bar to just phrasing carefully--at least it sets the tone and attitude of the community.

note:
I was torn on the Windows 7 question Rory mentions. I answered it and then voted to close (after agreeing with AviD's comment on it). Even bad and closed questions are a chance for people to learn. And it serves as a record to other people that might ask a similar question.

I think that exploit code should not only be allowed, it should be expected! Please let me elaborate a little bit.

I administrate a couple of small websites (CMSs, blogs, online-shops). So, although IT-Security might not be as hard for me as for others (due to low interest in attacking the sites, low complexity of the hosted systems), it is still an issue for me.

I'm no IT-Security expert. So I rely on others finding risks/leaks and providing solutions to them. And it really bothers me, when I'm provided with only the solutions, which happens most of the time:

sanitize your input

close all unneeded ports

...

Why?, because it makes your service safer. But why? As a programmer I've found that by understanding the principles of the language I use and the underlying hardware, my programming abilities improve drastically. The same way I'm sure I could provide a much better job in securing my websites by understanding how the attacks actually work - instead of just being provided with tactics to counter vulnerabilities. I hope that this site adopts a policy of:

banning questions that ask for exploit code only

encouraging answers that provide solutions together with the attack that caused the vulnerability in the first place.

That specific question is not a good example, since that is a valid pentest vector. It's done all the time - not to cause real damage in production systems, but as a regular part of testing.

Can this be misused by potential blackhats?
Of course. But thats true of many pentest- or vulnerability-type questions.

Of course, there ARE questions that are solely looking for exploit code - these should be banned, IF there is no real positive value in it (e.g. what to look for in my systems, or how do I protect against it...).